Method for transmitting messages between an emitter and at least on receiver and system for implementing said method

ABSTRACT

Example embodiments relate to a method and system for transmitting messages between an emitter and at least one receiver. The method may include encrypting a message (m) to be transmitted by means of a key (a) associated to the emitter, sending the encrypted message to a conversion module including at least a conversion key (π a     →     b ) and a conversion function, the conversion module being placed between the emitter and the at least one receiver, converting the encrypted message received in the conversion module by at least one message encrypted in such a way as to be able to be decrypted by a key (b) specific to the at least one receiver, the conversion being carried out without the initial message appearing in plaintext in the conversion module, and resulting in as much messages in accordance to a number of receivers, sending the converted message to a certain receiver, and decrypting the converted message received by the certain receiver via the key b specific to the receiver, wherein the conversion key (π a     →     b ) of the conversion module depends on a non trivial value raised to a power of the key (a) bound to the emitter and of the key (b) bound to the at least one receiver.

PRIORITY STATEMENT

This application claims the benefit of European Patent Application No.04292975.2, filed on Dec. 10, 2004, the disclosure of which isincorporated herein in its entirety by reference.

Example embodiments relate to a method for transmitting messages betweenan emitter and at least one receiver, and a system including an emitterand at least one receiver.

It is placed in particular, but not exclusively, in the context of theencryption of conditional access data, this data forming a contenttransmitted by a supplier to several multimedia units. This data or thiscontent can in particular be Pay-TV events.

BACKGROUND

There are currently many message encryption methods, these methods eachhaving specific characteristics with regards to their application ortheir security level.

In most cases, the content is first encrypted by means of a plurality ofkeys which can each have a relatively short life, these keys beingcalled “control words”. The content encrypted in this way, istransmitted to multimedia units which are subscribed to the supplier.The control-words are themselves encrypted by means of a transmissionkey and sent in the form of control messages (Entitlement controlmessage ECM).

The extraction and the decryption of the control words is carried out ina security module which can have notably the form of a smart card. Whenthe control-words have been decrypted, they can be used to decrypt thecontent. As this method is well known to those skilled in the art, it isnot described in more detail here.

There are also methods in which the use of a security module is notnecessary or desired. An example of such a method uses a specificencryption type, such as notably proposed by Blaze & Strauss (MattBLAZE, Martin STRAUSS. Atomic Proxy Cryptography, Technical report, AT&TResearch,(http://www.research.att.com/resources/trs/TRs/98/98.5/98.5.1.body.ps).

This document describes an encryption method in which a message isencrypted by means of a key bound to the emitter and sent in aconversion module, which transforms the message received into anothermessage that can be decrypted by means of a key bound to the receiver.This conversion module does neither deliver the message in plaintext,nor the key bound to the emitter, nor the one bound to the receiver.This module also contains a particular function, called thereafterconversion function, which allows the modification of the messageaccording to the constraints defined above.

The conversion module according to Blaze & Strauss operates in thefollowing way:

From the encryption side, that is to say the emitter side, one has asecret key “a” and a random number generator, which generates a value“k”. This value belongs to the set 9*_(2q) that is to say the set ofintegers between 0 and 2q−1 which are prime numbers with 2q. Forexample, if q=5, the set 9*₁₀={;1;2;3;5;7;9}. Two values “p” and “q” arealso determined such that “p” and “q” are large prime numbers and suchthat p=2q+1. The idea of a large number is not defined by a precisenumerical value. The larger the used numbers are, the more difficult itis for a third party to find these values by successive attempts. Thesecurity level is therefore connected to the size of the used numbers.

The emitter also has a value “g” belonging to the set 9*_(p).

From the encryption side, these messages are also generatedC1=(mg ^(k))_(mod p)andC2=[(g ^(a))^(k)]_(mod p)

The value (g^(a))_(mod p) is the public key of the emitter.

The couple <C1;C2> forms the message which is generated by the emitterand which is transmitted to the conversion module.

The conversion module assigns a conversion key and a conversionfunction.

The key is equal to:

$\pi_{a\rightarrow b} = \left( {b*\frac{1}{a}} \right)_{{mod}\mspace{11mu} 2q}$

The conversion function associated to this key is:C2′=[(C2)⁽ ^(π) ^(a→b))]_(mod p)

When the couple <C1;C2> is introduced into the conversion module, thevalue of C1 is not modified. C2 instead changes to C2′ according to theabove conversion function.

The couple <C1;C2> entering into the conversion module is transformedinto an output couple <C1;C2′>. The latter is transmitted to thereceiver and more precisely to the secured part of the receiver whichcontains the secret key b1 specific to this receiver. In principle, eachreceiver is provided with his own key “b”.

From the received values, the receiver can deduce the message byapplying the following formula:

$m = \left( {C\; 1*\frac{1}{\left( {C\; 2^{\prime}} \right)^{{({1/b})}{mod}\mspace{11mu} 2q}}} \right)_{{mod}\mspace{11mu} p}$

Although perfectly functional, this method suffers a major disadvantagewhen it is put into practice, in particular in an environment in whichan emitter supplies a great number of receivers. In fact, by knowing thekey b₁ of a specific receiver and the conversion function π_(a) _(→)_(b), it is relatively simple to calculate the key “a” of the emittersuch that

$\pi_{a\rightarrow{b\; 1}} = {\left( {b_{1}*\frac{1}{a}} \right)_{{mod}\mspace{11mu} 2q}.}$

From that point, it is possible for a person with bad intentions to makethe key “a” of the emitter available to third parties. This then allowsto calculate the keys b_(i) of all the receivers supplied by thisemitter and using the same conversion function. This means that a userwho has subscribed to at least one channel managed by the data suppliercan freely have access to all the other channels of this supplier.

The following description explains in more detail, the aforementionedproblem.

Imagine a user having a multimedia unit STB2 with the secret key b2.This user is a subscriber of channels 1, 2 and 3 having respectively thekeys a1, a2 and a3. Suppose that this user knows his secret key b2.Since he is subscriber, he receives the conversion keys

$\pi_{{a\; 1}\rightarrow{b\; 2}},{{\pi_{{a\; 2}\rightarrow{b\; 2}}\mspace{14mu}{and}\mspace{14mu}\pi_{{{a\; 3}\rightarrow{b\; 2}},}\mspace{14mu}{where}\mspace{14mu}\pi_{{ai}\rightarrow{b\; 2}}} = {\left( {b_{2}*\frac{1}{ai}} \right)_{{mod}\mspace{11mu} 2q}.}}$

From these elements, it is relatively simple to calculate a1, a2 and a3.The user with bad intentions can therefore make these keys a1, a2 and a3available, for example, by a network such as Internet.

Imagine another user having a multimedia unit STB1 with the secret keyb1. This user is subscriber of channel 1 using the key a1. This channel,for example, can be a part of a cheap basic offer. The subscribertherefore receives the conversion key

$\pi_{{a\; 1}\rightarrow{b\; 1}} = {\left( {b_{1}*\frac{1}{a\; 1}} \right)_{{mod}\mspace{11mu} 2q}.}$From this point, he can easily determine b1, that is to say the secretkey of his own multimedia unit. He can also receive a2 and a3 from theuser having the previously mentioned multimedia unit STB2. With theseelements, he can create the conversion key for channels 2 and 3 using

$\left( {b_{1}*\frac{1}{a\; 2}} \right)_{{mod}\mspace{11mu} 2q} = {{\pi_{{a\; 2}\rightarrow{b\; 1}}\mspace{14mu}{and}\mspace{14mu}\left( {b_{1}*\frac{1}{a\; 3}} \right)_{{mod}\mspace{11mu} 2q}}\; = {\pi_{{a\; 3}\rightarrow{b\; 1}}.}}$In this way, he will have access to channels 2 and 3 without havingacquired the corresponding subscription rights. The same is true for aperson having cancelled his subscription and who has calculated thespecific key b1 of his receiver before the cancellation.

In this way, if the security of one of the receivers is compromised, thesecurity of all of the other receivers is also compromised.

Another disadvantage of the method described above is the fact that theconstruction of the conversion key requires the knowledge of the secretkey “a” of the emitter and that of the encryption stage b, which is notoptimal from a security point of view.

SUMMARY

The present invention intends to avoid the disadvantages of the methodsof the prior art and in particular of the method according to Blaze &Strauss as described above.

This object is achieved by a method for transmitting messages between anemitter and at least one receiver, comprising the following steps:

-   -   encryption of the message (m) to be transmitted by means of a        key (a) associated to said emitter;    -   sending of the encrypted message in a conversion module        comprising a conversion key (π_(a) _(→) _(b)) and a conversion        function;    -   conversion of the encrypted message received in the conversion        module in an encrypted message in order to be able to be        decrypted by a key (b) specific to said receiver, this        conversion being carried out without the initial message        appearing in plaintext in the conversion module;    -   sending the converted message to said receiver;    -   decryption of said transformed message received by said receiver        by means of the specific key b;        wherein the conversion key (π_(a) _(→) _(b)) of the conversion        module depends on a non trivial value raised to the power of the        key (a) bound to the emitter and of the key (b) bound to the        receiver.

The objects of the invention are also achieved by a system fortransmitting messages between an emitter and at least one receiver, saidemitter comprising means to encrypt said message (m) by means of a key(a) associated to this emitter, said system comprising at least oneconversion module in which a conversion key (π_(a) _(→) _(b)) and aconversion function are memorized, this conversion module being arrangedto convert the input message (m) into a message able to be decrypted bya key (b) specific to said receiver, this receiver comprising adecryption stage arranged to decrypt the output message of theconversion module, wherein the conversion key (π_(a) _(→) _(b)) of theconversion module depends on a non trivial value raised to the power ofthe key (a) bound to the emitter and of the key (b) bound to thereceiver.

The method of the invention applies in cases where the receiver is ableto decrypt encrypted messages according to the ElGamal algorithm (TaherElGamal, “A Public-Key Cryptosystem and a Signature Scheme Based onDiscrete Logarithms”, IEEE Transactions on Information Theory, v. IT-31,n. 4, 1985, pp 469-472 or CRYPTO 84, pp 10-18, Springer-Verlag) or allvariants of this, in particular the variants using at least one ellipticcurve.

The method of the invention guarantees optimal security avoiding thenecessity of using a security module. Using the method of the invention,the data stream and messages are encrypted identically for each user andcan be broadcast conventionally. The data and messages are thendecrypted by each user in such a way that the accessible data by one ofthe users cannot be used by another user.

Moreover, knowing the secret key of one of the receivers does not allowthe calculation of the other keys used in the system. In this way, onlythe receiver whose secret key has been compromised is able to haveaccess to data to which he does not necessarily have the authorization.He cannot let third parties take advantage. The discovery of the secretsof one of the receivers does not therefore compromise the security ofother receivers connected to the same emitter.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be better understood thanks to the following detaileddescription which refers to the enclosed drawings, which are given as anon limitative example, in which:

FIG. 1 represents the message transmission system according to thisinvention, in a specific embodiment; and

FIG. 2 shows the general message transmission method of the invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

This invention is described with reference to figures, on the basis of apractical application in which the emitter is a Pay-TV management centreCG and in which the receivers are multimedia STB units intended forreceiving Pay-TV events. These multimedia units are, for example,decoders or computers.

In the embodiment illustrated in particular by FIG. 1, it is supposedthat a content CT to be transmitted, that is to say, data relating to aPay-TV event are encrypted by control-words cw. The method according tothe invention is applied to the entitlement control messages ECMcontaining the control words. It is however to be noted that it ispossible to directly apply the method of the invention to data relatingto the pay-TV events. In this case, these would not be encrypted bycontrol-words. In practice, however, this way of functioning is notpreferred, as the time for decrypting the messages must be sufficientlyshort to be able to display the content adequately. Moreover, the methodof the invention needs a relatively large bandwidth. The method couldtherefore be used when a sufficient bandwidth is provided and that thedecryption can be carried out in a sufficiently rapid way.

Each multimedia unit STB₁, STB₂, STB_(n) has a specific key,respectively b₁, b₂, b_(n), and is associated to a conversion module CM.This module can be in a non-secured part of the decoder or physicallydistant from the decoder, for example in a redistribution centre such asthose known under the acronym DSLAM. The management centre CG provides akey “a”. It should be noted that this key “a” can be specific to achannel or a product.

When a content CT has to be transmitted, it is first encrypted by meansof control-words cw. The obtained message is represented by (CT)cw inFIG. 1. The set of all the messages is sent in the form of data streamDF to the related receivers. The same controls words cw are encrypted bythe key “a” of the management centre, which gives (cw)_(a). Theseencrypted control words are introduced into entitlement control messagesECM in a well-known way.

The stream of the entitlement control messages ECM is also transmittedto the related receivers.

These two streams are received by a receiver represented by STB1 inFIG. 1. It is supposed here that the multimedia unit has the rights todecrypt the sent content CT, which in practice, must be verified. Thisverification is done conventionally, as well as the sending of therights in the form of entitlement management messages EMM. For thisreason, these steps relating to the rights are not described in detailhere.

The receiver comprises a monolithic security unit containing a secretkey b1, inaccessible from the exterior of this unit. It also includes anMPEG decompressor.

The stream DF of the encrypted content (CT)cw is directly transmitted tothe security unit in which it will be processed. The stream of theentitlement control messages ECM is processed conventionally to extractthe encrypted control-words (cw)_(a). These control words (cw)_(a) arethen sent to the concerned conversion module of the multimedia unit. InFIG. 1, the conversion module is represented as integrated to themultimedia unit. It is also possible to group the conversion modules ina retransmission centre such as those known under the acronym DSLAM(Digital Subscriber Line Access Multiplexer). Each conversion module isthen linked to the multimedia unit by a specific line.

In the conversion module, the input message, encrypted by the key “a” isconverted to an output message, encrypted by the key b1. The outputmessage (cw)_(b1) is sent to the decryption stage which can decrypt itby means of the key b1.

The conversion key as well as the associated function according to thisinvention are described in further detail, with reference to FIG. 2.

In reference to FIG. 1, when the control words cw have been decryptedusing the key b1 of the multimedia unit, they can be used conventionallyto decrypt the contents CT which, in turn, can be processed inpreparation for its use, for example, on a television screen.

The following description, which refers to FIG. 2, mentions on the onehand the general method of the invention and on the other hand gives anumerical example on the basis of small values, which are not usable inpractice, but which allow a better understanding of the general method.These values are too small to guarantee an adequate security level in areal application.

According to this figure, it is supposed that a message m is encryptedin the management centre and sent to the receiver STB1 having the secretkey b₁. This initial message m leads to, in the management centre, twoencrypted messages, references C1 and C2 in FIG. 2. C1 is equal to:C1=(mg ^(k))_(mod p)and C2 is equal to:C2=(ak)_(mod 2q)

-   -   where p, q are large prime numbers such that p=2q+1    -   g is a large non trivial integer belonging to 9*_(p), non        trivial meaning different from zero or one. It should be noted        that this number can be disclosed without endangering the        security of the system of the invention.    -   “a” is the secret key of the emitter, as previously indicated        and    -   k is a random number in 9*_(2q).

As a reminder, 9*_(2q) is the set of integers between 0 and 2q−1 whichare prime numbers with 2q.

In the numerical example, suppose that the following values have beenchosen:

p = 11 q = 5 k = 7 g = 2 a = 3 m = 8

With these values, this gives:C1=(mg ^(k))_(mod p)=(8*2⁷)_(mod 11)=1C2=(ak)_(mod 2q)=(3*7)_(mod 10)=1

The couple <C1;C2> forms the encrypted message to be sent. This coupleis sent to the conversion modules of the related receivers. Thefollowing description concerns the processing of this couple in theconversion module associated to the multimedia unit STB1 having thesecret key b1.

This conversion module contains the following conversion key:

$\pi_{a\rightarrow{b\; 1}} = \left( g^{{({b\; 1*\frac{1}{a}})}{mod}\; 2q} \right)_{{mod}\mspace{11mu} p}$

It also contains the following conversion function:C2′=[(π_(a) _(→) _(b1))^(C2)]_(mod p)

The couple <C1;C2> as introduced into the conversion module istransformed into <C1;C2′> where C2′ is as defined above.

It can be shown that by replacing (π_(a) _(→) _(b1)) with the valueindicated above and C2 with (a*k)_(mod 2q), the converted couple<C1;C2′> is no longer dependent on the key “a” used by the managementcentre, but on the key b1 connected to the receiver.

Using the numerical values as defined above, and by choosing the key b1connected to the receiver such that b1=9, this gives:

$\mspace{20mu}{\left( \pi_{a\rightarrow{b\; 1}} \right) = \left( g^{{({b\; 1*\frac{1}{a}})}{mod}\; 2q} \right)_{{mod}\mspace{11mu} p}}$$\mspace{20mu}{{{By}\mspace{14mu}{definition}},{\left( \frac{1}{a} \right)_{{mod}\mspace{11mu} X}\mspace{14mu}{is}\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}\left( {a*\frac{1}{a}} \right)_{{mod}\mspace{11mu} X}\;{is}\mspace{14mu}{equal}\mspace{14mu}{to}\mspace{14mu} 1.}}$  If  a = 3, it  is  deduced  that  1/a = 7  since  (3 * 7)_(mod  10) = 1  This  therefore  gives  (π_(a → b 1)) = (g^((b 1 * 1/a)mod  2q))_(mod  p) = (2^((9 * 7)_(mod  10)))_(mod  11) = 2_(mod  11)³ = 8  C2^(′) = (π_(a → b 1))^(C 2)mod  p = (8¹)_(mod  10) = 8

In this numerical example, the converted couple is therefore <1;8> or<C1;C2′> in general.

From this couple and by knowing the value of b1, the value of m can becalculated, that is the message which has been encrypted. Thiscalculation is done using the following equation:

$m = \left\{ {C\; 1*\left\lbrack {C\; 2^{\prime\;{(\frac{1}{b\; 1})}{mod}\mspace{11mu} 2q}} \right\rbrack_{{mod}\mspace{11mu} p}^{- 1}} \right\}_{{mod}\mspace{11mu} p}$

This therefore allows the decryption of the initial message.

Reusing the previous numerical example, this gives:

${{{If}\mspace{14mu} b\; 1} = 9},{\left( \frac{1}{b\; 1} \right)_{{mod}\mspace{11mu} 2q} = {\left( \frac{1}{9} \right)_{{mod}\mspace{11mu} 10} = {{9\mspace{14mu}{since}\mspace{14mu}\left( {9*9} \right)_{{mod}\mspace{11mu} 10}} = 1}}}$m = {C 1 * [C 2^(′9)]_(mod  p)⁻¹}_(mod  p)(C 2^(′9))_(mod  11) = (8⁹)_(mod  11) = (134217728)_(mod  11) = 7$\left( \frac{1}{7} \right)_{{mod}\mspace{11mu} 11} = {{8\mspace{14mu}{since}\mspace{14mu}\left( {7*8} \right)_{{mod}\mspace{11mu} 11}} = 1}$m = (1 * 8)_(mod  11) = 8

The initial message has thus correctly been found.

Imagine that the secret key b2 of a receiver is compromised. Thedisclosure of the message m in plaintext does not allow another user touse it as each receiver expects to receive an encrypted message by meansof the secret key of this receiver. A plaintext message cannot be usedas it is not possible to avoid the first decryption stage of the module.

Using the method of the invention and supposing that a person could findthe secret key b2 of his receiver, he should find the value of “a” fromthe equation

$\pi_{a\rightarrow{b2}} = \left( g^{{({{b2}*\frac{1}{a}})}{mod}\; 2q} \right)_{{mod}\; p}$without knowing g. The solution to this equation passes through alogarithmic calculation. Due to the extreme difficulty in solving thistype of equation, it can be ensured, by choosing numbers which are largeenough, that the equation will not be solved during the validity time ofthese keys. With each change of key, the calculation should bere-started.

It is therefore not possible from the knowledge of the key of onemultimedia unit to compromise the security of the other multimediaunits.

This invention therefore allows to guarantee an optimal security levelsince on the one hand it is very difficult to obtain the secret key of aspecific multimedia unit, and on the other hand, the discovery of onekey does not endanger the whole system. This invention is thereforeparticularly well adapted in an environment in which one does not wishto use removable security modules such as smart cards. Moreover, theconversion module of the invention can be distant from the multimediaunit. The method therefore perfectly satisfies the requirements andconstraints of conditional access television broadcast by a network suchas Internet. It must however be noted that this only represents one ofthe possible applications of the invention.

1. A method for transmitting messages between an emitter and at leastone receiver, comprising: encrypting a message (m) to be transmitted bymeans of a key (a) associated to said emitter; sending the encryptedmessage to a conversion module including at least a conversion key(π_(a) _(→) _(b)) and a conversion function, said conversion modulebeing placed between the emitter and said at least one receiver;converting the encrypted message received in the conversion module by atleast one message encrypted in such a way as to be able to be decryptedby a key (b) specific to said at least one receiver, the conversionbeing carried out without the initial message appearing in plaintext inthe conversion module, and resulting in as much messages in accordanceto a number of receivers; sending the converted message to a certainreceiver; and decrypting said converted message received by said certainreceiver via the key b specific to said receiver; wherein the conversionkey (π_(a) _(→) _(b)) of the conversion module depends on a non trivialvalue raised to a power of the key (a) bound to the emitter and of thekey (b) bound to the at least one receiver.
 2. The method according toclaim 1, wherein the message (m) to be transmitted is a content (CT). 3.The method according to claim 1, wherein the message (m) to betransmitted is an authorization message containing at least one controlword (cw) having served to encrypt a content (CT).
 4. The methodaccording to claim 1, wherein the key (π_(a) _(→) _(b)) of theconversion module is equal to$\pi_{a\rightarrow b} = \left( g^{{({b*\frac{1}{a}})}{mod}\; 2q} \right)_{{mod}\; p}$where g is a non-null integer different from 1 in K*_(p), in the set ofthe integers between 0 and p−1 which are prime numbers with p; where pand q are large prime numbers such as p=2q+1; and where “a” is the keybound to the emitter and “b” is the key bound to the at least onereceiver and the function of the transformation module isC2′=[(π_(a) _(→) _(b))^(C2)]_(mod p) where C2=(a*k)_(mod 2q); where “a”is the key bound to the emitter; and where k is a random number inK*_(2q), in the set of integers between 0 and 2q−1 which are prime with2q.
 5. A system for transmitting messages between an emitter and atleast one receiver, said emitter including means to encrypt a message(m) by means of a key (a) associated to the emitter, said systemcomprising: at least one conversion module in which at least aconversion key (π_(a) _(→) _(b)) and a conversion function arememorized, the at least one conversion module being placed between theemitted and said at least one receiver and further being arranged toconvert the input message (m) into at least one message which is able tobe decrypted by a key (b) specific to said at least one receiver, the atleast one receiver including a decryption stage arranged to decrypt theoutput message of the at least one conversion module, wherein theconversion key (π_(a) _(→) _(b)) of the at least one conversion moduledepends on a non trivial value raised to a power of the key (a) bound tothe emitter and of the key (b) bound to the at least one receiver.
 6. Asystem for transmitting messages according to claim 5, wherein theconversion key is$\pi_{a\rightarrow b} = \left( g^{{({b*\frac{1}{a}})}{mod}\; 2q} \right)_{{mod}\; p}$where g is a non-null integer different from 1 in K*_(p), in the set ofintegers between 0 and p−1 which are prime number with p; where p and qare large prime numbers such that p=2q+1; and where “a” is the key boundto the emitter and “b” is the key bound to the at least one receiver andthe function of the transformation module isC2′=[(π_(a) _(→) _(b))^(C2)]_(mod p) where C2=(a*k)_(mod 2q); where “a”is the key bound to the emitter; and where k is a random number inK*_(2q), in the set of integers between 0 and 2q−1 which are primenumbers with 2q.
 7. The system for transmitting messages according toclaim 5, wherein the at least one conversion module is contained in saidat least one receiver.
 8. The system for transmitting messages accordingto claim 5, wherein the at least one conversion module is contained in aretransmission center distinct from said at least one receiver, andremotely connected to the at least one receiver.
 9. A system fortransmitting messages between an emitter and at least one receiver, saidemitter including a device to encrypt a message (m) by a key (a)associated to the emitter, said system comprising: at least oneconversion module in which at least a conversion key (π_(a) _(→) _(b))and a conversion function are memorized, the at least one conversionmodule being placed between the emitted and said at least one receiverand further being arranged to convert the input message (m) into atleast one message which is able to be decrypted by a key (b) specific tosaid at least one receiver, the at least one receiver including adecryption stage arranged to decrypt the output message of the at leastone conversion module, wherein the conversion key (π_(a) _(→) _(b)) ofthe at least one conversion module depends on a non trivial value raisedto a power of the key (a) bound to the emitter and of the key (b) boundto the at least one receiver.